To prove the correctness of FTMC, the output of MAJ should be proven to be free from the influence of a faulty intermedium. Hence, we shall prove that a fault-free receiver can receive the message sent by a fault-free sender or can detect that the sender did not send a message to it.
Lemma 1. Using FTMC, a fault-free receiver R can receive the message m sent by a fault-free sender S if c > 2Pa + Pd + 2(La + Ld).
Proof: Using FTMC, the fault-free sender S sends c copies of m to R through c disjoint paths. According to the paths information and transferring rules presented in section 4-2-2, each dormant faulty intermedium (processor and link) can drop at most one message of these c messages. In the worst case, R has at least c –Pd –Ld messages sent by S. By hypothesis, we know that c –Pd –Ld > 2Pa + 2 La + Ld. Therefore, R can decide the message sent by S when the majority vote MAJ is applied to these c –Pd –Ld messages.
Then, we prove that FTLE makes each fault-free processor elect a common leader.
Since FTLE is based on the oral message model, some concepts and terminologies used by [6] are used here. A vertex σ is called common [6] if the value stored at σ of each fault-free processor’s IG-tree is identical. In other words, a common leader for a leader election can be reached if the root of each fault-free processor’s IG-tree is common. If every root-to-leaf of and IG-tree contains a common vertex, then the collection of the common vertices forms a common frontier [5]. To prove a common leader for a leader election can be reached by FTLE, we define consistent vertex as follows.
Consistent vertex: Vertex α (= σi) at a fault-free receiver’s IG-tree is a consistent vertex if
sender i is fault-free or in dormant faulty. By the behavior of i, all fault-free receivers receive the identical message sent by i. Although a receiver does not know which vertex is consistent, the consistent vertices do exist since some senders in the network are fault-free or dormant faulty.
Theorem 3. FTMC does remove the influence of a faulty intermedium in a mobile ad-hoc network if c > 2Pa + Pd + 2(La + Ld).
Proof: By Lemma 1 and 2, the message received by R is free from the influence of a faulty intermedium; thus, the theorem is proved.
Lemma 2. Using FTMC, a fault-free receiver R can detect the sender S does not send a message to it if c > 2Pa + Pd + 2(La + Ld).
Proof: when S does not send a message to R, each fault-free immediate successor of S (along the disjoint paths between S and R) will relay the symbol ∅ to R. In the worst case, R receives at least c – (Pd – 1) –Ld messages of value ∅ . By hypothesis, we know that c – (Pd – 1) –Ld > 2Pa + 2 La + Ld Hence, the output of the majority vote MAJ is ∅ , and R notices that S did not send a message to it.
The following lemma proves that all consistent vertices of an IG-tree are common:
Lemma 3. All consistent vertices are common after VOTE is applied to an IG-tree if n > 3Pa+Pd.
Proof: Each consistent vertex o of an IG-tree can be proven as common in the following cases.
Case 1: σ is a leaf.
Fault-free and dormant faulty senders always send identical message to all receivers. Hence, σ is common after VOTE is applied to σ.
Case 2: σ is at the i-th level, 1≤ i ≤ t.
Subcase 2.1: σ has at least 3 * (t -i + 1) + [(n -1) mod 3] children, each of which has a stored value ‘As’. By condition (C2) of VOTE, the original value stored at σ, namely val(σ), is used as the output of VOTE; thus, σ is common.
Subcase 2.2: σ has k (< 3 * (t -i + 1) + [(n -1) mod 3]) children, each of which has a stored value ‘As’. According to the structure of the IG-tree, σ has n-i children. by hypothesis, we have n –Pa – Pd > 2Pa. Since t≥ Pa, we have n – i ≥ n - t ≥ n - Pa; moreover, k≤ Pd, we can write n - i - k > 2Pa. Hence, by condition (C3), (C4) or (C5) of VOTE , σ is common.
Case 3: σ is the root.
According to the structure of the IG-tree, σ has n-1 children. If no arbitrary faulty processor exists in the network, namely Pd = 0, the children of σ are subjected to a dormant faulty only. These influences are removed by using the absent rule;
therefore, σ is common. On the other hand, suppose that some senders in the network are subjected to arbitrary faults, namely Pa
≥
1. By hypothesis, we have, n –Pa – Pd > 2Pa. Since Pa≥
1, we can write,n – 1
≥
n – Pa,=> n – 1 – Pd
≥
n – Pa – Pd > 2Pa=>n – 1 > 2Pa + Pd.
Hence, σ is common after the VOTE is applied.
By frontier lemma of [6], the root of the fault-free processor’s IG-tree is common if the common frontier exists on each fault-free processor’s IG-tree. The following theorems prove that a common leader can be elected among each fault-free processor.
Theorem 5. FTLE does solve the leader election problem in a fault-tolerant mobile ad hoc network with mixed faults if n > 3Pa+Pd and c > 2Pa + Pd + 2(La + Ld).
Proof: By Theorem 4, the agreement condition is satisfied. The valid condition is used when originator is fault-free. Since the originator is fault-free, all other fault-free processors receive the originator’s new leader’s id, lid, at the first round.
Subsequently, these processors execute message exchanges to verify the message received from the originator. Therefore, the consistency vertices of each fault-free processor’s IG-tree are lid. By Lemma 4, the root of each fault-free processor’s IG-tree is consistent because the originator is fault-free. By Theorem 4, the root is common and the value stored in the root of a fault-free processor’s IG-tree is lid.
Thus, the valid condition is satisfied. The theorem is proven.
Theorem 4. The root of a fault-free processor’s IG-tree is common.
Proof: From Lemma 4 and the frontier lemma of [6], the theorem is proven.
Lemma 4. The common frontier does exist in the IG-tree.
Proof: By the definition of the IG-tree, each root-to-leaf path consists of two vertices. Since the maximum number of arbitrary faulty processors is Pa
(
≤ ⎢ ⎣ ( n − 1) / 3 ⎥ ⎦
), each root-to-leaf path has at least one consistent vertex. By Lemma 3, a consistent vertex is common. Therefore, the common frontier does exist in the IG-tree.4.5 Complexity
The complexity of FTLE is defined in terms of 1) the number of messages required,
2) the number of faulty components allowed, and 3) the number of memory used.
In this subsection, we prove that FTLE is optimal. It uses the minimum number of rounds and messages to tolerate the maximum number of faulty components.
Theorem 6. FTLE requires t+1 rounds and one transaction of the ID-based threshold key distribution. O(ts*n + c(n-1) + tc(n-1)2) messages are required for solving leader election problem in fault-tolerant mobile ad-hoc network if n >
3Pa+Pd and c > 2Pa + Pd + 2(La + Ld) , where ts = the threshold value of the ID-based threshold key distribution.
Proof: The messages passing are needed in the message exchange step only; thus FTLE requires t+1 rounds. As mentioned in section 4-1, a sender uses FTMC to send its messages to a receiver for removing the influence of a faulty intermedium (c copies of its message are sent). At the first round, the originator broadcasts its new leader’s id to all other receivers; thus, c(n-1) messages are generated.
Subsequently, each sender broadcast its message to all receivers (excluding the originator) in the each exchanged round; thus, O(tc(n-1)2) messages will be yielded.
Furthermore, FTLE needs O(ts*n) messages in message encrypt step for exchanging key parameter and for establishing the secret key. Therefore, the total number of message required FTLE is O(ts*n + c(n-1) + tc(n-1)2). By theorem 4, FTLE can make each fault-free processor elect a common leader. Hence, the theorem is proven.
Theorem 9. The total number of memory usage by FTLE, namely O(nt).
Proof: By Theorem 6, FTLE requires t+1 rounds to exchange messages. As stated in the definition of the IG-tree in section 4.1, a vertex at the t-th level has n-t leaves as children as shown in Fig. 4-2, where t=⎢⎣(n−1) / 3⎥⎦ . Therefore, there are 1 (× − × − ×⋅⋅⋅× − vertices in each IG-tree. When k originators initiate n 1) (n 2) (n t) elections, each processor maintains at most k IG-tees, where k
≤
n. We need O(nt) of memory usage to solve the LE problem. Hence, the theorem is proven.Theorem 8. The total number of allowable faulty components by FTLE, namely Pa + Pd + La + Ld, is maximum if n > 3Pa+Pd and c > 2Pa + Pd + 2(La + Ld).
Proof: By Theorem 1, a protocol for LE problem in a fault-tolerant mobile ad hoc network does exist if the constraints on failures, namely n > 3Pa+Pd and c > 2Pa + Pd + 2(La + Ld), hold. Otherwise, a common leader cannot be elected. If Pa + Pd + La + Ld is not the maximum number of allowable faulty components, then other constraints on failures should be exist, namely n
≤
3Pa+Pd and c≤
2Pa + Pd + 2(La + Ld). However, this is a contradiction with the Theorem 1. Thus, the theorem is proven.Theorem 7. FTLE solves leader election problem in fault-tolerant mobile ad hoc network by using the minimum number of rounds and messages.
Proof: If the system’s faulty status is unknown, then t+1 rounds are proven be the lower bound on message passing for reaching an agreement under mobile ad hoc network [19, 35]. To remove the influence of multiple faulty components, by Theorem 6, O(ts*n + c(n-1) + tc(n-1)2) is the lower bound on the number of messages required for electing a leader. Hence, the theorem is proven.